OCR Settles Alleged HIPAA Violations for $950,000 Following 2017 Ransomware Attack

Elizabeth Kimball Key
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On July 1, 2024, the HHS Office of Civil Rights (OCR) announced that Pennsylvania-based healthcare system, Heritage Valley Health System (Heritage Valley), has agreed to pay $950,000 to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. In addition, Heritage Valley agreed to a corrective action plan (CAP) to address alleged gaps in its HIPAA compliance program. The settlement with Heritage Valley is the third HIPAA enforcement action by HHS in a case involving ransomware.

The settlement stems from a global ransomware cyber-attack that occurred in 2017. HHS opened a compliance review after the media reported that Heritage Valley experienced a data security incident. HHS conducted a comprehensive investigation into Heritage Valley’s compliance with HIPAA. This investigation found several alleged potential violations of HIPAA, including:

  • Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic PHI (ePHI) across the organization;
  • Failure to implement a contingency plan to respond to emergencies, like a ransomware attack, that damage systems that contain ePHI; and
  • Failure to implement policies and procedures to allow only authorized users access to ePHI.

In addition to agreeing to pay $950,000 for the alleged HIPAA violations, Heritage Valley agreed to implement a CAP in which OCR will monitor Heritage Valley for three years to ensure compliance with HIPAA. The agreed upon CAP will require Heritage Valley to make the following corrective measures:

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
  • Review and develop, maintain, and revise, as necessary its written policies and procedures to comply with the HIPAA Rules; and
  • Train its workforce on its HIPAA policies and procedures.

Ransomware breaches continue to be a top enforcement priority for OCR. According to OCR, there has been a 264% increase since 2018 in large breaches reported to OCR involving ransomware attacks.

The Resolution Agreement and Corrective Action Plan can be found here. The OCR Press Release regarding the Resolution Agreement can be found here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© King & Spalding

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide